SAN FRANCISCO — The U.S. and China agreed Friday that neither country will conduct economic cyber-espionage on the other in a new deal that has been hailed as a possible breakthrough.
But even as President Barack Obama announced the agreement, he stressed it would only improve relations if there was a real change in practice, saying, "The question now is, are words followed by actions?"
The United States has accused China of stealing billions of dollars' worth of intellectual property and trade secrets from U.S. companies, as well as being behind the Office of Personnel Management (OPM) hack that obtained the personal information of over 22 million federal employees. China has denied such activity — with Xi announcing earlier this week that "the Chinese government will not engage in commercial theft or encourage or support such theft by anyone."
"China is ready to set up a high-level, joint dialogue mechanism with the United States on fighting cybercrime," Xi said.
In Congress, reaction to Friday's announcement was guarded. "I remain skeptical that China will deliver on this promise," said Rep. Adam Schiff (D-CA), the Ranking Member of the House Permanent Select Committee on Intelligence, in a statement given to BuzzFeed News. "But if curbing cyber theft is a journey of a thousand miles, perhaps China has taken a first step."
The U.S. government has also denied charges of cyber-espionage or cyber-theft, although Edward Snowden's NSA revelations catalogue U.S. cyber activities in Beijing.
Cybersecurity experts said the agreement was a good start, but that it would need to be significantly expanded in the coming years. In the weeks leading up to Friday's meeting, White House officials suggested that the agreement could address attacks on critical infrastructure, like power stations and hospitals.
"This is one of the most complicated problems around. The consequences of not getting it right are immense," said Richard Bejtilich, chief security strategist of the FireEye cybersecurity firm. "Both China and the U.S. are eager to hammer something out because anything at this point would benefit either party immensely. That doesn't mean that what they are going to hammer out will makes thing better on the ground."
Cybersecurity firms like FireEye are one of the fastest growing industries in the U.S., with companies reporting an unprecedented increase in the number of cyberattacks they face daily. In an interview with CBS last year, FBI director James Comey said there were "two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese."
Despite a report last week saying attempted cyberattacks had slowed in recent weeks ahead of China's presidential visit, four cybersecurity companies interviewed this week by BuzzFeed News said they had seen no slowdown whatsoever in the pace of attacks.
"If there has been a slowdown in attacks, we haven't seen it," said one CEO, whose cybersecurity firm is currently assisting a solar company which was recently hacked by China. He declined to be named as his company has not publicly spoken about what he called "repeated, serious breaches by China."
White House officials have said they are keen to discuss cyber issues with China, but that until now progress has been slow.
"Candidly, cyber is an issue where we have not made the progress that we've wanted to make," said Ben Rhodes, Deputy National Security Advisor, in a conference call with reporters earlier this week. "We believe very strongly that the U.S. and China both have an interest in investing in clear international norms as it relates to cyber activity. We're working together to try to arrive at common principles that could give us greater confidence that China is acting in a manner that does not disadvantage our businesses, and that upholds and invests in those evolving international norms."
Jay Kaplan, CEO of cybersecurity startup Synack and a former NSA cyber security analyst, told BuzzFeed the cyber pact was a step in the right direction "in theory."
"It is completely unenforceable given the non-attributable nature of state-sponsored cyber activities," said Kaplan, referring to the various levels of deception available today for hackers to mask their country of origin. "The pact doesn't address stealing state secrets or intellectual property which is the most prevalent issue today."
The current pact is based on a code of conduct adopted recently by the United Nations, which declared that no state should allow activity "that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public."
"What is being discussed right now is what has already been agreed to in the U.N. It's to get the ball rolling by agreeing to something they've already agreed to," said Bejtilich, who speaks to Congress frequently about the threats of state-sponsored cyberattacks. "The benefits that China gets from stealing intellectual property and other data is too great for them to give up without the us thinking creatively and coming up with a serious threat of action the U.S. government will take if these cyberattacks persist."
Senator Mark Warner, in an interview with BuzzFeed News this week, said that legislation was currently being discussed on how to better protect U.S. businesses, and that the U.S. government had to do more to protect American companies from cyberattacks.
"I frankly think a lot of this is originating in China and I think we need to acknowledge that," said Warner. "If they are not going to cooperate with us, we need to think about other methods."
Rhodes told reporters that at this stage, the U.S. administration was still considering sanctions on China.
"Our preference is resolving this through dialogue, we're not averse to punitive measures, including sanctions, if we feel like there are actors in China and entities that are engaged in activities that are sanctionable," said Rhodes.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.